Operations
12/20/2016
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

20 Questions Security Pros Should Ask Themselves Before Moving To The Cloud

A template for working collaboratively with the business in today's rapidly changing technology environment.

Everywhere I go lately, the cloud seems to be on the agenda as a topic of conversation. Not surprisingly, along with all the focus, attention, and money the cloud is receiving, comes the hype and noise we’ve come to expect in just about every security market these days. Given this, along with how new the cloud is to most of us in the security world, how can security professionals make sense of the situation? I would argue that that depends largely on what type of situation we’re referring to, exactly. And therein lies the twist.

Rather than approach this piece as “20 questions security professionals should ask cloud providers,” I’d like to take a slightly different angle. It’s a perspective I think will be more useful to security professionals grappling with issues and challenges introduced by the cloud on a daily basis. For a variety of reasons, organizations are moving both infrastructure and applications to the cloud at a rapid rate - far more rapidly than anyone would have forecast even two or three years ago.

As security professionals, we are way beyond the point of simply being able to tell the business they cannot move certain things to the cloud. Instead, we need to work collaboratively with the business to mitigate the risks introduced by the changing business environment. Given that we find ourselves in this situation, we need a different approach. What are 20 questions security organizations should be asking themselves as the business moves to the cloud?

By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.

  1. Do we know how much it costs to build, maintain, and operate data centers? That is the first step to understanding the pressure the business is under.
  2. Have we opened up the lines of communication and listened acutely to the business?  Before we can expect the business to listen to us, we need to build bridges, gain trust, and listen to the business.
  3. Do we truly understand the needs of the business? It’s hard to convince the business that we have their best interests in mind when we don’t fully understand what that means.
  4. Do we knee jerk? We must be honest with ourselves to determine if we are truly behaving proactively, or if we are merely behaving reactively.
  5. Do we always say no? We must be careful not to be the program of no to a business that will increasingly roll its eyes and work around us.
  6. Are we focused on mitigating risk rather than simply playing whack-a-mole? We need to think holistically and strategically about mitigating risk. We don’t want to win the battle but lose the war.
  7. What infrastructure has been or will be moved to the cloud? It helps to know what infrastructure we are looking to protect when we set out to protect it.
  8. What applications have been or will be moved to the cloud? It also helps to know what applications we are looking to protect when we set out to protect them.
  9. Are we able to enumerate the top five or 10 risks introduced by the move to the cloud that concern us? That’s generally a good place to begin when looking to mitigate risk.
  10. Are we certain that the move to the cloud always introduces additional net risk? While it is true that certain risks may be introduced, it is also quite likely that some legacy risks may actually go away.
  11. Are we positive that we can secure something better than someone whose core business depends on it? Granted, not all cloud providers are equal, particularly when it comes to security. But if the provider takes security seriously, they can bring resources and economies of scale to securing our applications and data that we will never be able to bring.
  12. Is all really lost when applications move to the cloud? It is entirely possible that a new infrastructure will give us visibility into applications like we’ve never had before. But we have to involve ourselves as a friend of the business from the beginning.
  13. Are we focused on data? In the cloud, it’s more about protecting data, and less about protecting infrastructure and assets.
  14. Have we considered the economics of the cloud for our own internal security purposes? Not all security products and services need to be racked and stacked in-house anymore. In fact, some of the most interesting ones are cloud-based.
  15. Have we looked into simplifying our own security stack in the cloud? As technologies mature, it may make sense to take a strategic look at consolidating and simplifying security infrastructure as well.
  16. Have we looked into the efficiency gains and operational scale the cloud can bring us?  Trying to run a query across several months’ worth of data on a 2U vendor appliance can be painful. But with the scale that the cloud provides, that same query can return lightning fast.
  17. Do we have have the necessary visibility into infrastructure and applications in the cloud? If not, how do we plan to gain that visibility?
  18. Have we considered how we will retain response capability with the move to the cloud?
  19. Have we thought about looking to the endpoint as a potential source of visibility and control as the traditional enterprise infrastructure slowly disintegrates before our very eyes?
  20. Are we focused on the big picture? The cloud is relatively new and can seem a bit scary, but have we thought about the fact that if we do our homework properly, we may even end up with a better security posture than we had before the move to the cloud?

Nearly all security professionals today are grappling with the business moving to the cloud in one form or another. While a few years ago, the mere thought of this happening would have seemed nearly impossible, it is now the reality we live in. As security professionals, we owe it to ourselves to ensure we ask the right questions and make the right preparations as the landscape changes before us. Otherwise, we simply have our heads in the clouds.

Related Content:

Josh is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO - Emerging Technologies at FireEye. Until its acquisition by FireEye, Josh served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/20/2016 | 1:04:19 PM
Audit Yourself Even Before Implementation
This is a great list of questions.  When it comes to big tech moves from one platform to another, I believe acting as though you have the tech already and are about to have a Security audit helps answer lots of questions.  Using documents like Common Criteria, for instance, to walk through targets of evaluation either by using the technical documentation of the product(s), whitepapers on other implementations, documented exploits, and so on.  I've been reading Raymond Pompon's IT Security Risk Management which develops a thorough audit plan that could be used for such a purpose.  Security pros should approach every acquisition the same way they'd do working with a client.  Set yourself up for success and know that once you've done your soft audit, then implemented, you could have an auditor walk in and you'd pass with flying colors.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.